Library usage with disabled cookies causes "failed to read 'localStorage' from Window: Access denied"

[raizemm]

We ran into an issue using this library inside our app with one of our users who had disabled cookies for all sites inside chrome settings (chrome://settings/cookies, "Block all cookies" or add a new entry to "Sites that can never use cookies" section), which resulted in the application unable to load throwing following error:

What we tried to do is to provide MemoryStorage implementation for users with disabled cookies, therefore unable to access localStorage, but unfortunately even if we provided correct Storage to those users the app still won't load.
I think the issue is that inside OAuthService constructor

angular-oauth2-oidc/projects/lib/src/oauth-service.ts

Line 160 in 8d152c2

typeof window['localStorage'] !== 'undefined'

there is a check for localStorage existence which throws the error mentioned above. There are also some other window['localStorage'] checks inside OAuthService which would probably fail in this situation.

Would you even consider this a valid scenario with the fallback to the MemoryStorage to let the application work?
If yes maybe localStorage usages within the library should be wrapped in try-catch block?

[jeroenheijmans]

I'm a tad confused: the title mentions "cookies", but the question seems to be about storage causing issues? The latter would make more sense, since this library doesn't do anything with cookies as far as I know. (Though your login server will very likely use cookies for interactive flows, so I don't know if OIDC flows will work at all if you're blocking cookies.)

Could you help us get a reproducible scenario? For example something like:

1. clone the repo, npm install, run the sample app
2. <specific settings in chrome to enable/disable>
3. changes to the sample app, if any at all
4. ways to click/use the sample app
5. actual outcome or error + expected result

[raizemm]

Sorry I could've used a better title for the question :)

You can easily reproduce the error I mentioned like that:

1. Go to chrome settings -> Privacy and security -> Cookies and other site data
2. Under "Sites that can never use cookies" section add any website or any app that's using the library
3. Reload the site you just added or just open it in new tab
4. Inside DevTools try to access window.localStorage
5. You should receive the exception that the access was denied for this document

I know that this behavior is browser-specific and by disabling cookies the browser does more than just that.

[jeroenheijmans]

Wow, interesting that disabling cookies also disables localStorage. I can imagine it breaks this library too.

That's likely something the lib could be more robust against. I'm not entirely sure if there's gonna be a community member to do a PR (and also note that merging of PRs has been on hold for some time already, at the time of writing), especially since it's a very edge case, which will likely break on the STS side after you'd make this lib robust against it. (Since the Secure Token Server will also likely need cookies to function...)